1

I'm building a Sinatra app which needs to use a session variable for one very specific thing. The session variable is set when the user is looking at an SSL enabled page.

I'm using Heroku's piggyback SSL, so the SSL url is something like https://myapp.heroku.com

However, the app itself is hosted at my url, myapp.com

Is there a way to make my session variable, which is set while on the ssl / heroku domain name, available to my app while while on my domain name?

Derick Bailey
  • 72,004
  • 22
  • 206
  • 219

2 Answers2

1

Unfortunately no, since the cookie is tied to the domain. What you'll have to do is either allow authenticated users to use the https://foo.heroku.com domain, and reserve your nice domain for the landing page & other unauthenticated pages.

That, or pay $20 for heroku's SSL add-on.

(I ran into this exact problem in http://appkickstand.com and I chose to just deal with the heroku url for logged in users)

Ben Scheirman
  • 40,531
  • 21
  • 102
  • 137
  • that's what i've done for now... once you hit my site and click "buy now" it sends you to heroku's subdomain and you remain there for the entire purchase process. – Derick Bailey Nov 10 '11 at 15:53
0

You should look for cross-domain cookies manuals, check this.

But i don't see many reason in setting cookie through secured channel and transmitting it later via raw HTTP, where everyone could sniff it.

Community
  • 1
  • 1
tensai_cirno
  • 914
  • 1
  • 7
  • 13
  • the cookie data is not sensetive and even if someone got it, there's nothing they can do with it. i don't have a database or store anything to be retrieved. i just use a simple session / cookie for a couple bits of data. the only time i can set it is when they are on my ssl page. – Derick Bailey Nov 10 '11 at 15:54